FBI wipes Chinese PlugX malware from thousands of Windows PCs in America

The FBI, working with French cops, obtained nine warrants to remotely wipe PlugX malware from thousands of Windows-based computers that had been infected by Chinese government-backed criminals, according to newly unsealed court documents.

The Feds had been tracking a crew called Mustang Panda, aka Twill Typhoon, for years, and claimed the Beijing-linked team had broken into “numerous government and private organizations” in the US, Europe, and Indo-Pacific region.

“Significant foreign targets include European shipping companies in 2024, several European Governments from 2021 to 2023, worldwide Chinese dissident groups, and governments throughout the Indo-Pacific,” American prosecutors noted [PDF] in court filings.

According to the Feds, the People’s Republic of China paid Mustang Panda to, among other computer intrusion services, provide malware including PlugX.

The crew used a version of PlugX that allowed the miscreants to remotely access and control infected machines, steal files, and deploy additional malware. As detailed in the unsealed application for a search and seizure warrant to wipe the software from people's Microsoft Windows PCs:

Yes, via USB flash drives. How very Stuxnet. That would allow the snoops to bypass air gaps and similar defenses.

French law enforcement [PDF] and Sekoia.io, a France-based private cybersecurity company, were able to pull the plug on PlugX, and shut down the operation, in 2023 after Sekoia compromised the system behind the lone IP address used by Mustang Panda to remotely control computers infected with the software nasty.

That move came after Sophos documented the USB-hopping PlugX earlier that year. Devices behind 45,000 IP addresses in the US alone had attempted to connect to that one remote-control server since its takedown, we're told.

• Undiplomatic Chinese threat actor attacks embassies and foreign affairs departments
• Chinese malware intended to infect USB drives accidentally infects networked storage too
• China's cyber intrusions took a sinister turn in 2024
• China's Volt Typhoon crew and its botnet surge back with a vengeance

Then in August 2024, the US Justice Department and FBI went to court to obtain nine warrants authorizing the deletion of PlugX from machines in America, which was then carried out. The last of these warrants expired on January 3, and in total, the operation wiped PlugX from about 4,258 US-based systems.

As we understand it, the Feds tested a self-destruct command built into PlugX that would remove the malicious code from infected machines, and then remotely ran that command on infected PCs to erase the software. The command was issued from a server using the IP address previously used to control the bots that was seized by the French.

According to the FBI, this self-delete command did the following:

The PlugX removal follows other international operations against China’s Volt Typhoon (although its botnet appears to be back in action) and Flax Typhoon, and Russia’s APT28 (aka Fancy Bear).

“This wide-ranging hack and long-term infection of thousands of Windows-based computers, including many home computers in the United States, demonstrates the recklessness and aggressiveness of PRC state-sponsored hackers,” US Attorney Jacqueline Romero said in a statement today.

The FBI says it is notifying US victims via their internet service providers that their Windows machines had been infected by the malware and were cleaned up during this operation. ®